I wonder how many web servers are serving (or have ever served) the private key file as (part of) their certificate chain by doing similar.https://twitter.com/avadacatavra/status/836732794445381632 …
Even an implementation that might expect Base64 encoding might just use a regex like "-.+" to skip BEGIN/END lines.
-
-
Or, maybe it searches for "BEGIN CERTIFICATE" & when not found assumes the file is a binary (not Base64) DER cert.
-
then it will fail to parse it. base64 obviously won’t parse as DER
-
I bet many TLS servers never parse their own certificates. Definitely many never validate their own certs.
-
oh well… I feel sorry for people who use such software.
End of conversation
New conversation -
-
-
this is pretty broken implementation :)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.